diff --git a/09 - Audits/Activity Log.md b/09 - Audits/Activity Log.md index 7854dc4..a8d9acd 100644 --- a/09 - Audits/Activity Log.md +++ b/09 - Audits/Activity Log.md @@ -951,4 +951,32 @@ existing server-side point grants. --- +### 2026-06-03 — backend v2.8.68 + frontend v2.8.73 — pending-email flow, referral signup bonus, Mini App cleanups + +**Backend v2.8.68 — email change now requires verification before it applies:** +- New `pendingEmail` field. Changing email parks the new address in pendingEmail + (NOT email) and sends a code to the NEW address; the account email + its + verified status stay intact until the code is confirmed, then pendingEmail is + promoted to email (with a re-check nobody else claimed it). Resend targets the + pending address. Implemented in the Mongoose User model AND the Postgres + authStore path (PgAuthUser field + constructor + toObject + savePgUser + INSERT/ON CONFLICT params + mirrorUserToMongo + `pending_email` column via + idempotent ALTER in postgresAuthSchema). userController.updateUserProfile / + resendCurrentUserEmailVerification / verifyCurrentUserEmail updated. +- **Referral signup bonus:** referrer gets +50 points the moment someone signs + up with their code (email + Google paths) via PointsService.addPoints (source + 'referral'), referralStats.totalEarned kept in step, 'referral-reward' socket + event. Best-effort, never blocks signup. Separate from the 2% purchase commission. + +**Frontend v2.8.73 — Mini App:** +- Removed the «وضعیت‌های امانت» escrow-states legend from Home. +- Removed the Passkey row from the account tab (not wanted in the Mini App). +- Welcome-banner greeting uses the AMN account name before the Telegram profile + name, so an in-app rename updates it (was stuck on Telegram's "Anonymous …"). +- Settings email verify aligned with the pending-email flow: inline code panel + shows whenever a change is pending or the email is unverified; clears on verify. +**Verification:** backend tsc clean; frontend tsc + eslint clean. + +--- +